Professional Documents
Culture Documents
Electronic Commerce Security 2017
Electronic Commerce Security 2017
E-Business
Business Serving
Model Customers
Web Site
Packets might be
Modified in transit
May be spoofed
May contain bad payload.
Network layer security provides
Authentication and integrity
Confidentiality
Access control
Application Layer Security
Border Router
First / last router under control of
system administration.
DMZ
Demilitarized zone.
Security is low, since not protected
by firewall. Locate webservers and
other services there that generate
potentially unsafe traffic.
Firewall
Filters packages based on a
variety of rules.
Firewall Application Level Filtering
Snort:
Allows to set up rules that pass a packet on to another service.
Commercial firewalls
Include application level filters for many products.
Use non-disclosure agreement to obtain proprietary protocols
Proxy Firewalls
Proxy firewall
Forward Proxy
Receives requests from the inside.
Processes requests.
Translates them into requests to
the outside on other card.
Receives answers from outside
and translates to the inside.
Acts on behalf of inside machine
that is protected from the vagaries
of the internet.
Virtual Private Networks
Virtual Private Networks
Application Level
Pretty Good Privacy
Secure Shell (SSH)
Transport Level
Secure Socket Layer
Does not protect the package, but its content.
Typically runs at the application level of the OS, so OS does not need
to be changed.
Network Level
IPSec
Encrypts package itself.
Encrypted package receives a new package header.
IPSec protects port address, but not destination address.
OS need to be changed (but only once: Win2000, WinXP)
Data Link
Layer 2 Tunneling Protocol addition to Point-to-Point protocol
(PPP)
Encrypts packets on the data layer.
Virtual Private Networks
If messages were
KeyAB
handwritten, they would
have locked them in a msg
box and despatched
But How Can They Do This on
Internet?
A million question ?
E-commerce Security Issues
Confidentiality A B
C
Authenticity A B
Integrity A B
C
Code Meaning
Hat boat
Has been sent arrives
Friday tomorrow
Ciphertext d e f g h i j k l m n o p q r s t u v
hello KHOOR
01 02 03 04 05 06 07 08 09 10 11 12 13 14 15 16 17 18 19
Cleartext A B C D E F G H I J K L M N O P Q R S
Ciphertext d e f G h i j k l m n o p q r s t u v
04 05 06 07 08 09 10 11 12 13 14 15 16 17 18 19 20 21 22
KeyAB
msg KeyAB
KeyAB
msg
+KeyAB
msg {\\\\\}KeyAB {msg}KeyAB msg
XOR
Pay Rs. 100/- 0+0=0
0+1=1
100 1+0=1
1+1=0
1100100 1100101
1100101 0000001
0000001 1100100
Comparison of Time and Money Needed
to Break Different Length Keys
Length of key in bits
Cost 40 56 64 80 128
Symmetric Key
Asymmetric key
Symmetric Key Cryptography in
Real World: ATMs
Step 0
Provide Kcard/ATM and KATM/Bank to ATM
Bank should have KATM/Bank, your identification
and PIN
Your credit card should have your PIN and
identity
Identity What is PIN Transactions?
& PIN your
via card PIN?
BLOB
Information
The Key Management Problem
KAC KAB
KBC
Kerberos
Identity
Password
Plaintext or Cleartext
Step 0
What KDC
know and
KA does K
B
I am Asha I
want to talk
to Bharat
KA KB
What Asha
know and
does
What
Bharat
What Prem
know and
know and
does
does
Step 1
What KDC
know and
does
I am Asha I
want to talk
to Bharat
KA KB
What Asha
know and
does
What
Bharat
What Prem
know and
I am Asha I know and
does
want to talk does
to Bharat
Step 2
Bharats Ticket
Part Abr. Explanation
Asha The initial ticket requester
Bharat The end recipient of ticket
Time Stamp TS The time that KDC developed the
ticket
Time Duration TD Duration of validity of ticket
Session Key KAB Session Key
Step 2
Ashas Ticket
Part Abr. Explanation
Asha The initial ticket requester
Bharat The end recipient of ticket
Time Stamp TS
The time that KDC developed the
ticket
Time Duration TD Duration of validity of ticket
Session Key KAB Session Key
Recipients Key {///} End Recipients Ticket
Step 2: Asha receives two tickets
Ashas Ticket (decrypted using Ashas password)
Bharats Ticket (decrypted using Bharats password)
Public Key
Private Key
The Process
Step 6: B creates its own message digest (MD3) using the same hashing
algorithm on the plaintext message (PT2). If MD2 = MD3 B concludes
that the message must have come from A and it has not been tempered
with.
Digital Signature takes care of
Authentication
Message integrity
Non-repudiation
Advantages and Disadvantages of Cryptographic Systems
Size of resulting encrypted text Usually same as or less More than the original plain
than the original size text size
Key agreement/exchange A big problem No problem
Number of keys required Equals about the square of Same as the number of
the number of participants, participants
so scalability is an issue
3. Validity Date
59
SSL architecture
TCP
IP
60
SSL Handshake
61
Not-recognizable Certificate
62
SSL
Server responds
with hello
message
Send server certificate
Client sends containing servers public
response key
Server receives
Send client certificate and client response
encrypted private session and initiates
key sessions
messages
authentication
confidentiality
compression
e-mail compatibility
segmentation and reassembly
key management
generation, distribution, and revocation of public/private keys
generation and transport of session keys and IVs
PGP / services